DRAFT INTERNATIONAL STANDARD IEC/DIS 80001-1 ISO/TC 215
Secretariat: ANSI
Voting begins on 2009-07-31
Voting terminates on 2010-01-08
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION INTERNATIONAL ELECTROTECHNICAL COMMISSION • МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ • COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
Application of risk management for IT-networks incorporating medical devices — Part 1: Roles, responsibilities and activities Application du management du risque aux réseaux des technologies de l'information contenant les dispositifs médicaux — Partie 1: Rôles, responsabilités et activités
ICS 35.240.80
This draft is submitted to a parallel enquiry in ISO and a CDV vote in the IEC. In accordance with the provisions of Council Resolution 15/1993 this document is circulated in the English language only. Conformément aux dispositions de la Résolution du Conseil 15/1993, ce document est distribué en version anglaise seulement. THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS. RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
© International Electrotechnical Commission, 2009
IEC/DIS 80001-1
PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© International Electrotechnical Commission, 2009
ii
80001-1Ed.1/CDV © IEC:2009
– 2 –
CONTENTS FOREWORD...........................................................................................................................3 INTRODUCTION.....................................................................................................................5 1
Scope ...............................................................................................................................7
2
1.1 Purpose ..................................................................................................................7 1.2 Field of application ..................................................................................................7 Terms and Definitions.......................................................................................................7
3
Roles and responsibilities ............................................................................................... 11
4
3.1 General ................................................................................................................. 11 3.2 RESPONSIBLE ORGANIZATION .................................................................................... 11 3.3 TOP MANAGEMENT ................................................................................................... 12 3.4 M EDICAL IT- NETWORK RISK MANAGER ....................................................................... 13 3.5 M EDICAL DEVICE manufacturer(s) ............................................................................ 14 3.6 Other providers of information technology ............................................................. 15 Life cycle RISK MANAGEMENT in MEDICAL IT- NETWORKS ...................................................... 15
5
4.1 Overview ............................................................................................................... 15 4.2 R ESPONSIBLE ORGANIZATION RISK MANAGEMENT ........................................................ 16 4.3 MEDICAL IT- NETWORK RISK MANAGEMENT Planning and Documentation .................... 17 4.4 CHANGE - RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT ............................ 19 4.5 Live Network RISK MANAGEMENT ............................................................................. 24 Document control ........................................................................................................... 24
5.1 Document control procedure.................................................................................. 24 5.2 M EDICAL IT- NETWORK RISK MANAGEMENT FILE ........................................................... 24 Annex A (Informative) Rationale .......................................................................................... 26 Annex B (Informative) Overview of RISK MANAGEMENT relationships ...................................... 29 Annex C (Informative) Guidance on field of application ........................................................ 30 Annex D (Informative) Relationship with ISO/IEC 20000 Information technology — Service management ...................................................................................................... 32 Annex E Bibliography............................................................................................................ 35 Figure 1 – Illustration of TOP MANAGEMENT responsibilities ..................................................... 13 Figure 2 – Overview of life cycle RISK MANAGEMENT of MEDICAL IT - NETWORKS ......................... 16 Figure B.1 – Overview of roles and relationships .................................................................. 29 Figure D.1 – Service management processes ....................................................................... 32 Table C.1 – IT- NETWORK scenarios that may be encountered in a clinical environment .......... 30 Table D.1 – Relationship between IEC 80001-1 and ISO/IEC 20000 ..................................... 33
– 3 –
80001-1Ed.1/CDV © IEC:2009
INTERNATIONAL ELECTROTECHNICAL COMMISSION ____________
Application of risk management for IT-networks incorporating medical devices – Part 1: Roles, responsibilities and activities FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and nongovernmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any equipment declared to be in conformity with an IEC Publication. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 80001 has been prepared by a Joint Working Group of IEC subcommittee 62A: Common aspects of electrical equipment used in medical practice of IEC technical committee 62: Electrical equipment in medical practice and ISO technical committee 215: Health informatics. The text of this standard is based on the following documents: FDIS
Report on voting
XX/XX/FDIS
XX/XX/RVD
Full information on the voting for the approval of this standard can be found in the report on voting indicated in the above table. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
80001-1Ed.1/CDV © IEC:2009
– 4 –
The committee has decided that the contents of this publication will remain unchanged until the maintenance result date 1) indicated on the IEC web site under "http://webstore.iec.ch" in the data related to the specific publication. At this date, the publication will be • • • •
reconfirmed, withdrawn, replaced by a revised edition, or amended.
————————— 1) The National Committees are requested to note that for this publication the maintenance result date is will be established during the FDIS ballot.
80001-1Ed.1/CDV © IEC:2009
–5–
1
INTRODUCTION
2 3 4 5
An increasing number of MEDICAL DEVICE s are designed to exchange information electronically with other equipment in the user environment, including other MEDICAL DEVICES . Such information is frequently exchanged through an information technology network (IT- NETWORK ) that also transfers data of a more general nature.
6 7 8 9
At the same time, IT- NETWORKS are becoming increasingly vital to the clinical environment and are now required to carry increasingly diverse traffic, ranging from life-critical PATIENT data requiring immediate delivery and response, to general corporate operations data and to email containing potential malicious content (e.g. viruses).
10 11 12 13 14
For many jurisdictions, design and production of MEDICAL DEVICES is subject to regulation, and to standards recognized by the regulators. Traditionally, regulators direct their attention to MEDICAL DEVICE manufacturers, by requiring design features and by requiring a documented PROCESS for design and manufacturing. M EDICAL DEVICES cannot be placed on the market in these jurisdictions without evidence that those requirements have been met.
15 16 17
The use of the MEDICAL DEVICES by clinical staff is also subject to regulation. Members of clinical staff have to be appropriately trained and qualified, and are increasingly subject to defined PROCESSES designed to protect PATIENTS from unacceptable RISK .
18 19 20 21 22 23 24 25 26
In contrast, the incorporation of MEDICAL DEVICES into IT- NETWORKS in the clinical environment is a less regulated area. IEC 60601-1:2005 [1] requires MEDICAL DEVICE manufacturers to include some information in ACCOMPANYING DOCUMENTS if the MEDICAL DEVICE is intended to be connected to an ITNETWORK . Standards are also in place covering common information technology activities including planning, design and maintenance of IT- NETWORKS , for instance ISO 20000-1:2005 [9]. However, until the publication of this standard, no standard addressed how MEDICAL DEVICES can be connected to IT- NETWORKS , including general-purpose IT- NETWORKS , to achieve INTEROPERABILITY without compromising the organization and delivery of health care in terms of SAFETY, EFFECTIVENESS , and DATA AND SYSTEM SECURITY .
27 28
There remain a number of potential problems associated with the incorporation of MEDICAL DEVICES into IT- NETWORKS , including:
29
–
lack of consideration for risk from use of IT-networks during evaluation of clinical risk;
30 31 32
–
lack of support from manufacturers of MEDICAL DEVICES for the incorporation of their products into IT- NETWORKS , (e.g. the unavailability or inadequacy of information provided by the manufacturer to the OPERATOR of the IT- NETWORK );
33 34
–
incorrect operation or degraded performance (e.g. incompatibility or improper configuration) resulting from combining MEDICAL DEVICES and other equipment on the same IT- NETWORK ;
35 36
–
incorrect operation resulting from combining MEDICAL DEVICE SOFTWARE and other software applications (e.g. open email systems or computer games) in the same IT- NETWORK ; and
37 38
–
the conflict between the need for strict change control of MEDICAL DEVICES and the need for rapid response to an attack by malware.
39
When these problems manifest themselves, unintended consequences frequently follow.
40 41
This standard is addressed to RESPONSIBLE ORGANIZATIONS , to manufacturers of MEDICAL DEVICES , and to providers of information technologies.
42
This standard adopts the following principles as a basis for its normative and informative sections:
43 44 45
–
The incorporation or removal of a MEDICAL DEVICE or other components in an IT- NETWORK is a task which requires design of the action; this might be out of the control of the manufacturer of the MEDICAL DEVICE .
46 47 48 49 50 51
–
RISK MANAGEMENT should be used before the incorporation of a MEDICAL DEVICE into an ITNETWORK takes place, and during the entire life cycle of the IT- NETWORK incorporating the MEDICAL DEVICE , to avoid unacceptable RISKS , including possible HARM to PATIENTS , resulting from the incorporation of the MEDICAL DEVICE into the IT- NETWORK . Many things are part of a risk
decision, such as liability, cost, or mission effectiveness. These should be considered in determining acceptable risk in addition to the requirements described in this standard.
80001-1Ed.1/CDV © IEC:2009
–6–
52 53
–
Aspects of removal, change or modification of equipment, items or components should be addressed adequately in addition to the incorporation of MEDICAL DEVICES .
54 55
–
56 57 58 59 60
–
The manufacturer of a MEDICAL DEVICE intended to be incorporated into an IT- NETWORK might need to provide information about the MEDICAL DEVICE that is necessary to allow the RESPONSIBLE ORGANIZATION to manage RISK according to this standard. This information includes, as part of the ACCOMPANYING DOCUMENTS , instructions specifically addressed to the person who incorporates a MEDICAL DEVICE into an IT- NETWORK .
61 62 63 64 65 66
–
Such ACCOMPANYING DOCUMENTS should convey instructions about how to incorporate the MEDICAL DEVICE into the IT- NETWORK , how the MEDICAL DEVICE transfers information over the ITNETWORK , and the minimum IT- NETWORK characteristics necessary to enable the INTENDED USE of the MEDICAL DEVICE when it is incorporated into the IT- NETWORK . The ACCOMPANYING DOCUMENTS should warn of HAZARDS associated with the misuse of the IT- NETWORK connection or of the information that is transferred over the IT- NETWORK .
67 68 69
–
One or more RESPONSIBILITY AGREEMENTS can establish roles and responsibilities among those engaged in the incorporation of a MEDICAL DEVICE into an IT- NETWORK , all aspects of the life cycle of the resulting MEDICAL IT- NETWORK and all activities that form part of that life cycle.
70 71 72 73
–
The RESPONSIBLE ORGANIZATION standard. This standard defines roles is the MEDICAL IT- NETWORK RESPONSIBLE ORGANIZATION or to
74 75
–
The MEDICAL IT- NETWORK RISK MANAGER is responsible for ensuring that RISK MANAGEMENT is included during the:
The manufacturer of the MEDICAL DEVICE is responsible for RISK MANAGEMENT of the MEDICAL during the design, implementation, and manufacturing of the MEDICAL DEVICE .
DEVICE
is required to appoint people to certain roles defined in this the responsibilities of those roles. The most important of those RISK MANAGER . This role can be assigned to someone within the an external contractor.
76 77
–
planning and design of new incorporations of MEDICAL DEVICES or changes to such incorporations;
78 79
–
putting the MEDICAL IT- NETWORK into use and the consequent use of the MEDICAL ITNETWORK ;
80 81
–
CHANGE - RELEASE MANAGEMENT NETWORK ’ S entire life cycle.
82 83
–
and change management of the IT- NETWORK during the IT-
R ISK MANAGEMENT should be applied to address the following KEY PROPERTIES appropriate for the IT- NETWORK incorporating a MEDICAL DEVICE :
84
–
SAFETY ;
85 86 87
–
EFFECTIVENESS
88
–
DATA AND SYSTEM SECURITY .
(effective treatment of the PATIENT using the information exchanged and also effective delivery of healthcare by the RESPONSIBLE ORGANIZATION due to the exchange of information); and
80001-1Ed.1/CDV © IEC:2009
–7–
Application of risk management for IT-networks incorporating medical devices - Part 1: Roles, responsibilities and activities
89 90 91
1 Scope
92
1.1 Purpose
93 94 95 96
Recognizing that MEDICAL DEVICES are incorporated into IT- NETWORKS to achieve desirable benefits (for example, INTEROPERABILITY ), this international standard defines the roles, responsibilities and activities that are necessary for RISK MANAGEMENT of IT- NETWORKS incorporating MEDICAL DEVICES to address the KEY PROPERTIES . This international standard does not specify acceptable RISK levels.
97
1.2 Field of application
98
This standard applies throughout the life cycle of IT- NETWORKS incorporating MEDICAL DEVICES .
99 100
This standard applies where there is no single MEDICAL DEVICE manufacturer assuming responsibility for addressing the KEY PROPERTIES of the IT- NETWORK incorporating a MEDICAL DEVICE .
101 102 103
MEDICAL DEVICE
104 105 106
NOTE 2 If a single manufacturer specifies a complete MEDICAL DEVICE that includes a network, additions to that MEDICAL DEVICE or modification of the configuration of that MEDICAL DEVICE, other than as specified by the manufacturer, is subject to the provisions of this standard.
107 108
This standard applies to RESPONSIBLE ORGANIZATIONS , MEDICAL DEVICE manufacturers and other providers of information technologies for the purpose of comprehensive RISK MANAGEMENT .
109 110
This standard does not apply to personal use applications where the PATIENT , OPERATOR and RESPONSIBLE ORGANIZATION are one and the same person.
111
This standard does not address regulatory or legal requirements.
112
2 Terms and Definitions
113
For the purposes of this document, the following terms and definitions apply:
114 115 116 117
2.1
118
NOTE
119 120 121 122 123 124
2.2
MANAGEMENT
125
NOTE
126
2.3 CHANGE PERMIT
127 128
a RISK CONTROL measure consisting of a document which allows a specified change or type of change without further risk control activities subject to specified limitations.
129 130 131 132
2.4 CONFIGURATION MANAGEMENT a PROCESS that ensures that configuration information of components and the IT- NETWORK are defined and maintained in an accurate and controlled manner. It provides a mechanism for identifying, controlling and tracking versions of the IT- NETWORK
133
NOTE
NOTE 1 If a single manufacturer specifies a complete MEDICAL DEVICE that includes a network, the installation or assembly of the according to the manufacturer’s ACCOMPANYING DOCUMENTS is not subject to the provisions of this standard regardless of who installs or assembles the MEDICAL DEVICE.
ACCOMPANYING DOCUMENT
a document accompanying a MEDICAL DEVICE or an accessory and containing information for the RESPONSIBLE ORGANIZATION or OPERATOR , particularly regarding SAFETY Adapted from IEC 60601-1:2005, definition 3.4.
CHANGE - RELEASE MANAGEMENT a PROCESS that ensures all changes to the IT- NETWORK are assessed, approved, implemented and reviewed in a controlled manner and that changes are delivered, distributed, and tracked leading to release of the change in a controlled manner with appropriate input and output with CONFIGURATION
Adapted from ISO/IEC 20000-1:2005, Subclauses 9.2 (change management) and 10.1 (release management).
Adapted from ISO/IEC 20000-1:2005, Subclause 9.1.
80001-1Ed.1/CDV © IEC:2009 134 135 136 137
–8–
2.5 DATA AND SYSTEMS SECURITY
an operational state of a MEDICAL IT-N ETWORK in which information assets (data and systems) are reasonably protected from degradation of confidentiality, integrity, and availability
138
NOTE 1 Security, when mentioned in this standard, should be taken to include DATA AND SYSTEMS SECURITY.
139 140 141
NOTE 2 D ATA AND SYSTEMS SECURITY is assured through a framework of policy, guidance, infrastructure, and services designed to protect information assets and the systems that acquire, transmit, store, and use information in pursuit of the organization’s mission.
142 143 144
2.6
145 146 147 148
2.7
149
NOTE
150 151 152
2.8
153
[ISO 14971:2007, definition 2.2]
154
NOTE
155 156 157
2.9
158
[ISO 14971:2007, definition 2.3]
159 160 161 162 163
2.10
164
[ISO 14971: 2007, definition 2.5]
165 166 167
2.11
168 169 170 171
2.12 IT-NETWORK (INFORMATION TECHNOLOGY NETWORK) a system or systems composed of communicating nodes and transmission links to provide physically linked or wireless transmission between two or more specified communication nodes
172
NOTE 1 Adapted from IEC 61907:— 2) , definition 3.1
173 174 175
NOTE 2 The scope of the MEDICAL IT- NETW ORK in this standard is defined by the RESPONSIBLE ORGANIZATION based on where the MEDICAL DEVICES in the MEDICAL IT- NETW ORK are located and the defined use of the network. It can contain IT infrastructure, home health and non-clinical contexts. See also 4.3.3.
176 177 178
2.13 K EY PROPERTIES – SAFETY ;
EFFECTIVENESS
ability to produce the intended result for the patient and the RESPONSIBLE ORGANIZATION EVENT MANAGEMENT
a PROCESS that ensures that all events that can or might negatively impact the operation of the ITNETWORK are captured, assessed, and managed in a controlled manner Adapted from ISO/IEC 20000-1:2005, Subclauses 8.2 (incident management) and 8.3 (problem management).
HARM
physical injury or damage to the health of people, or damage to property or the environment
In the present standard, HARM includes disruption or loss of effective care delivery and/or loss of privacy.
HAZARD
potential source of HARM
INTENDED USE INTENDED PURPOSE
use for which a product, PROCESS or service is intended according to the specifications, instructions and information provided by the manufacturer
INTEROPERABILITY
a property permitting diverse systems or components to work together for a specified purpose
179
–
EFFECTIVENESS ;
180
–
DATA AND SYSTEM SECURITY
————————— 2) To be published.
80001-1Ed.1/CDV © IEC:2009
–9–
181 182 183 184 185
2.14
186
–
diagnosis, prevention, monitoring, treatment or alleviation of disease,
187
–
diagnosis, monitoring, treatment, alleviation of or compensation for an injury,
188 189
–
190
–
supporting or sustaining life,
191
–
control of conception,
192
–
disinfection of MEDICAL DEVICES ,
193 194
–
providing information for medical purposes by means of in vitro examination of specimens derived from the human body,
195 196 197
and which does not achieve its primary intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means
198 199
NOTE 1 This definition has been developed by the Global Harmonization Task Force (GHTF). See Annex E reference [10].
200
[ISO 13485:2003, definition 3.7]
201 202
NOTE 2 Products, which could be considered to be MEDICAL DEVICES in some jurisdictions but for which there is not yet a harmonized approach, include:
203
–
aids for disabled/handicapped people,
204
–
devices for the treatment/diagnosis of diseases and injuries in animals,
MEDICAL DEVICE
any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the specific purpose(s) of
investigation, replacement, modification, or support of the anatomy or of a physiological PROCESS ,
205
–
accessories for MEDICAL DEVICES (see Note 3),
206
–
disinfection substances,
207 208
– devices incorporating animal and human tissues which can meet the requirements of the above definition but are subject to different controls.
209 210
NOTE 3 Accessories intended specifically by manufacturers to be used together with a “parent” MEDICAL DEVICE to enable that MEDICAL DEVICE to achieve its INTENDED PURPOSE, should be subject to this International Standard.
211
[ISO 14971:2007, definition 2.9]
212 213 214 215
2.15 software system that has been developed for the purpose of being incorporated into the MEDICAL DEVICE or that is intended for use as a MEDICAL DEVICE in its own right
216
Note Adapted from IEC 62304:2006, definition 3.12
217 218 219
2.16
220 221 222
2.17
223 224 225
2.18
226
[IEC 60601-1:2005, definition 3.73]
227 228 229
2.19
230
[IEC 60601-1:2005, definition 3.76]
MEDICAL DEVICE SOFTWARE
MEDICAL IT- NETWORK an IT- NETWORK that incorporates at least one MEDICAL DEVICE
MEDICAL IT-NETWORK RISK MANAGER person accountable for RISK MANAGEMENT of a MEDICAL IT-NETWORK OPERATOR
person handling equipment
PATIENT
living being (person or animal) undergoing a medical, surgical or dental procedure
80001-1Ed.1/CDV © IEC:2009
– 10 –
231 232 233
2.20
234
[ISO 14971:2007, definition 2.13]
235
NOTE
236 237 238
2.21
239
[ISO 14971:2007, definition 2.15]
240 241 242
2.22
243
NOTE
244 245 246
2.23
247
NOTE 1 The accountable entity can be, for example, a hospital, a private clinician or a telehealth organization.
248 249 250
NOTE 2 In cases where a medical device is used at home under the supervision and/or instruction of the provider, that provider is deemed to be the responsible organization. Personal use where the patient acquires and uses a medical device without the supervision of a provider is out of scope of this standard.
251
NOTE 3 Education and training are included in "use."
252
NOTE 4 Adapted from IEC 60601-1:2005 definition 3.101.
253 254 255
2.24
256
[ISO 14971:2007, definition 2.16]
257 258 259
2.25
260
[ISO 14971:2007, definition 2.17]
261 262 263
2.26
264
[ISO/IEC Guide 51:1999, definition 3.12]
265 266 267 268
2.27
269
[ISO 14971:2007, definition 2.19]
270 271 272 273
2.28
274
[ISO 14971:2007, definition 2.21]
275 276 277 278
2.29
PROCESS
a set of interrelated or interacting activities that transform inputs into outputs
The term “activities” covers use of resources.
RESIDUAL RISK RISK remaining
after RISK CONTROL measures have been taken
RESPONSIBILITY AGREEMENT
one or more documents that together fully define the responsibilities of all relevant stakeholders This agreement can be a legal document, e.g. a contract.
RESPONSIBLE ORGANIZATION
entity accountable for the use and maintenance of a MEDICAL IT-NETWORK
RISK
combination of the probability of occurrence of HARM and the severity of that HARM
RISK ANALYSIS
systematic use of available information to identify HAZARDS and to estimate the RISK
RISK ASSESSMENT
overall PROCESS comprising a RISK ANALYSIS and a RISK EVALUATION
RISK CONTROL PROCESS in which
decisions are made and measures are implemented by which RISKS are reduced to, or maintained within, specified levels
RISK EVALUATION
P ROCESS of comparing the estimated RISK against given RISK criteria to determine the acceptability of the RISK
RISK MANAGEMENT
systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling, and monitoring RISK
80001-1Ed.1/CDV © IEC:2009
– 11 –
279
[ISO 14971:2007, definition 2.22]
280 281 282
2.30
283
[ISO 14971:2007, definition 2.23]
284 285 286
2.31
287
[ISO 14971:2007, definition 2.24]
288 289 290 291
2.32
292
NOTE
293 294 295
2.33
296
NOTE 1 The term “verified” is used to designate the corresponding status.
297
NOTE 2 Confirmation can comprise activities such as:
298
— performing alternative calculations;
299
— comparing a new design specification with a similar proven design specification;
300
— undertaking tests and demonstrations; and
301
— reviewing documents prior to issue.
302
[ISO 14971:2007, definition 2.28]
303 304
NOTE 3 In design and development, VERIFICATION concerns the PROCESS of examining the result of a given activity to determine conformity with the stated requirement for that activity.
305
3 Roles and responsibilities
306
3.1 General
307 308 309
Incorporation and modification of equipment or software of a MEDICAL IT- NETWORK shall be performed under a framework of clearly defined responsibilities. At a minimum, the parties, responsibilities and requirements identified in clauses 3.2 through 3.6 shall be defined.
310 311
For the particular MEDICAL IT- NETWORK being considered, the RESPONSIBLE ORGANIZATION shall establish and maintain a MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
312 313 314
All documentation related to the requirements of this standard as well as all supporting documentation shall be maintained in a MEDICAL IT- NETWORK RISK MANAGEMENT FILE . This file shall contain the current CONFIGURATION MANAGEMENT information for the MEDICAL IT- NETWORK .
315 316
NOTE The CONFIGURATION MANAGEMENT information can be included in the MEDICAL IT- NETW ORK RISK MANAGEMENT FILE either through explicit documentation or by reference, for example, to a live database.
317
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
318
3.2 RESPONSIBLE ORGANIZATION
319 320
The overall responsibility for RISK MANAGEMENT for a MEDICAL IT- NETWORK shall stay within the RESPONSIBLE ORGANIZATION .
321 322 323
The RESPONSIBLE ORGANIZATION shall be the owner of the RISK MANAGEMENT PROCESS for the MEDICAL IT- NETWORK , spanning planning, design, installation, device connection, configuration, use/operation, maintenance, and device decommissioning.
RISK MANAGEMENT FILE
set of records and other documents that are produced by RISK MANAGEMENT
SAFETY
Freedom from unacceptable RISK
TOP MANAGEMENT
person or group of people who direct(s) and control(s) the RESPONSIBLE ORGANIZATION accountable for a MEDICAL IT- NETWORK at the highest level Adapted from ISO 9000:2005, definition 3.2.7.
VERIFICATION
confirmation through provision of objective evidence that specified requirements have been fulfilled
80001-1Ed.1/CDV © IEC:2009
– 12 –
324
Compliance is checked by audit of the RESPONSIBLE ORGANIZATION .
325
3.3 TOP MANAGEMENT
326
For RISK MANAGEMENT of MEDICAL IT- NETWORKS , T OP MANAGEMENT shall:
327
a) establish a policy for RISK MANAGEMENT for incorporating MEDICAL DEVICES ;
328 329
b) define the policy for determining acceptable RISK , taking into account relevant international standards and national or regional regulations;
330
c) ensure the provision of adequate resources;
331 332
d) ensure the assignment of qualified personnel for management, performance of work and assessment activities; and
333 334
e) review the results of RISK MANAGEMENT activities at defined intervals to ensure continuing suitability and the effectiveness of the RISK MANAGEMENT PROCESS .
335
The above shall be documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
336 337 338
T OP MANAGEMENT shall appoint a MEDICAL IT- NETWORK RISK MANAGER , who has the necessary qualification, knowledge and competence for RISK MANAGEMENT applied to MEDICAL IT- NETWORKS (see 3.4).
339 340
T OP MANAGEMENT shall identify the people responsible for the following tasks and ensure that they co-operate with the MEDICAL IT- NETWORK RISK MANAGER :
341
a) gathering, analysis, assessment and storage of information needed for risk management;
342
b) lifecycle management of MEDICAL DEVICES incorporated in IT - NETWORKS ;
343
c) reviewing and accepting RESIDUAL RISK on behalf of TOP MANAGEMENT ;
344
d) maintenance of MEDICAL IT - NETWORKS ; and
345
e) choice of and procurement of MEDICAL DEVICES .
346 347
T OP MANAGEMENT shall ensure that participation in the RISK MANAGEMENT PROCESS for MEDICAL ITNETWORKS includes management responsible for:
348
a) MEDICAL IT- NETWORKS (medical IT);
349
b) IT department (general IT);
350 351
c) life-cycle management of MEDICAL DEVICES connected to IT- NETWORKS (for example biomedical engineering, radiological engineering);
352
d) clinical departments representing the users of the MEDICAL DEVICES ; and
353 354
e) technical support departments responsible for the MEDICAL DEVICES (for example bio-engineering department).
355
T OP M ANAGEMENT shall ensure:
356 357 358
a) that all supervision, operation, installation and maintenance of MEDICAL IT- NETWORK ( S ) throughout the life cycle is made according to the RISK MANAGEMENT plan and follows the results of the IT- NETWORK RISK MANAGEMENT PROCESS , whoever performs these tasks,
359 360 361
b) that all parties performing supervision, operation, installation and maintenance of MEDICAL ITNETWORK ( S ) are adequately informed about their responsibility according to this standard, including their responsibility for maintaining the effectiveness of RISK CONTROLS .
362
NOTE
The top management responsibilities are illustrated in Figure 1.
80001-1Ed.1/CDV © IEC:2009
– 13 –
363
RESPONSIBLE ORGANIZATION TOP MANAGEMENT responsibilities Policies for • RISK MANAGEMENT PROCESS • RISK acceptability criteria • Balancing the three KEY PROPERITIES with the mission of the RESPONSIBLE ORGAIZATION
Resources • Provision of adequate resources • Assignment of qualified personnel • Appointment of the MEDICAL IT-NETWORK RISK MANAGER
• Enforcement of Responsibility Agreements(s)
RISK MANAGEMENT PROCESS • Clear connection to other processes • Ensure continuing suitability and effectiveness • Review results at defined intervals
364
Figure 1 – Illustration of TOP MANAGEMENT responsibilities
365 366
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
367
3.4 M EDICAL IT- NETWORK RISK MANAGER
368 369
The MEDICAL IT- NETWORK RISK MANAGER shall be responsible for the management and/or execution of the RISK MANAGEMENT PROCESS to maintain the KEY PROPERTIES of the MEDICAL IT- NETWORK .
370 371
The MEDICAL MANAGEMENT
372
a) Overall management of the RISK MANAGEMENT PROCESS ;
373
b) reporting on the RISK MANAGEMENT PROCESS to the TOP MANAGEMENT ; and
374 375
c) managing the necessary communication between the internal and external participants in RISK MANAGEMENT . Such participants may include, as appropriate:
IT- NETWORK RISK MANAGER shall be responsible for the following aspects of the RISK of IT - NETWORKS incorporating MEDICAL DEVICES :
376
i.
MEDICAL DEVICE
manufacturers;
377
ii.
IT suppliers of equipment, software and services;
378
iii. Internal IT department and other facilities management departments;
379
iv. Clinical users; and
380 381
v. Technical support departments responsible for MEDICAL DEVICES (for example bioengineering).
80001-1Ed.1/CDV © IEC:2009
– 14 –
382 383
The MEDICAL IT- NETWORK RISK MANAGER shall be responsible for the design, maintenance, and performance of the RISK MANAGEMENT PROCESS . This includes but is not limited to:
384
a) collection of all relevant information on the MEDICAL DEVICES ;
385 386
b) planning the incorporation of the MEDICAL DEVICES in accordance with the instructions provided by the various MEDICAL DEVICE manufacturers;
387 388
c) the performance of the RISK MANAGEMENT PROCESS whenever a MEDICAL DEVICE is added to an IT- NETWORK ;
389 390
d) the performance of the RISK MANAGEMENT PROCESS whenever an incorporated MEDICAL DEVICE or the MEDICAL IT- NETWORK is changed;
391 392
e) informing the RESPONSIBLE ORGANIZATION about unacceptable RISK related to the MEDICAL ITNETWORK and the associated HAZARDS arising from any changes in configuration; and
393
f)
394 395
These tasks may be delegated, but the MEDICAL IT- NETWORK RISK MANAGER remains responsible for ensuring their adequate performance.
396 397 398
In choosing a MEDICAL IT- NETWORK RISK MANAGER , the RESPONSIBLE ORGANIZATION shall ensure that the MEDICAL IT- NETWORK RISK MANAGER has the necessary training and experience to perform the responsibilities of a MEDICAL IT- NETWORK RISK MANAGER .
399
Compliance is checked by audit of the RESPONSIBLE ORGANIZATION .
400
3.5 M EDICAL DEVICE manufacturer(s)
401 402 403
Pursuant to applicable regulations and relevant standards, each MEDICAL DEVICE manufacturer shall provide ACCOMPANYING DOCUMENTS to the RESPONSIBLE ORGANIZATION which describe the INTENDED USE and give instructions necessary for the safe and effective use of the MEDICAL DEVICE .
404 405 406
For a MEDICAL DEVICE whose INTENDED USE includes connection to an IT - NETWORK , the MEDICAL DEVICE manufacturer shall provide, as part of the ACCOMPANYING DOCUMENTS , instructions for implementing such connection, including but not limited to the following:
407
a) the INTENDED USE of the MEDICAL DEVICE ’ S connection to an IT- NETWORK ;
408
b) the required characteristics for the IT- NETWORK incorporating the MEDICAL DEVICE ;
409
c) the required configuration of the IT- NETWORK incorporating the MEDICAL DEVICE ;
410 411
d) the technical specifications of the network connection of the MEDICAL DEVICE including security specifications; and
412 413 414
e) the intended information flow between the MEDICAL DEVICE , the MEDICAL IT- NETWORK and other devices on the MEDICAL IT- NETWORK ; and if relevant to the KEY PROPERTIES , the intended routing through the MEDICAL IT - NETWORK .
415
NOTE 1 An example of possible required IT- NETW ORK characteristics can be found in Annex H of IEC 60601-1:2005 [1].
416 417 418 419
If required by a RESPONSIBILITY AGREEMENT , the MEDICAL DEVICE manufacturer shall provide additional documentary information to the RESPONSIBLE ORGANIZATION for a specific use of the MEDICAL DEVICE incorporated in an IT - NETWORK , provided that such use is consistent with the INTENDED USE of the MEDICAL DEVICE .
420 421 422 423
The MEDICAL DEVICE manufacturer shall transfer documentary information from its RISK MANAGEMENT FILE that is necessary for the RESPONSIBLE ORGANIZATION to perform its RISK MANAGEMENT PROCESS . The information shall include a description of any RESIDUAL RISK that needs to be managed by the RESPONSIBLE ORGANIZATION .
424 425
NOTE 2 R ESIDUAL RISK in this context can include that identified in ISO 14971 [4], as well as additional information necessary to the KEY PROPERTIES .
426
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
monitoring all projects or changes to the MEDICAL IT- NETWORK .
80001-1Ed.1/CDV © IEC:2009
– 15 –
427
3.6 Other providers of information technology
428
Other providers of information technology may provide:
429
a) infrastructure components;
430
b) infrastructure services;
431
c) client devices not being MEDICAL DEVICES ;
432
d) servers;
433
e) application software; or
434
f)
435 436 437
Pursuant to applicable regulations and relevant standards, each provider of other information technology (equipment and/or software) shall provide documentary information to the RESPONSIBLE ORGANIZATION as follows:
438
a) technical descriptions and technical manuals;
439
b) recommended product configurations;
440
c) known incompatibilities and restrictions;
441
d) operating requirements;
442
e) product corrective actions and recalls; and
443
f)
444 445
The provider of other information technology shall provide supplementary documentary information to the RESPONSIBLE ORGANIZATION as appropriate to further support the risk management activities.
446
Examples of supplementary information:
447
a) test strategies and test acceptance criteria;
448
b) disclosure of failure modes;
449
c) system reliability statistics;
450
d) safety cases; and
451
e) performance.
452
The stakeholders may utilize a RESPONSIBILITY AGREEMENT in order to share information.
453
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
454
4 Life cycle RISK MANAGEMENT in MEDICAL IT- NETWORKS
455
4.1 Overview
456 457
The RESPONSIBLE ORGANIZATION shall maintain the KEY PROPERTIES of the MEDICAL IT- NETWORK throughout the life cycle.
458
NOTE
459
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
middleware.
cyber security notices.
The life cycle RISK MANAGEMENT of MEDICAL IT- NETW ORKS is illustrated in Figure 2.
80001-1Ed.1/CDV © IEC:2009
– 16 – Request for Change to or creation of a MEDICAL IT-NETWORK
Change control Yes
Applicable CHANGE PERMIT?
No
“Project” - Project plan - Execute Risk Management - Update RM file
Residual risk evaluation & Report
Unacceptable
Acceptable
Configuration Management
Go live
Live environment
Monitoring
Event management
460 461
Figure 2 – Overview of life cycle RISK MANAGEMENT of MEDICAL IT- NETWORKS
462
4.2 R ESPONSIBLE ORGANIZATION RISK MANAGEMENT
463
4.2.1 P OLICY FOR RISK MANAGEMENT for incorporating MEDICAL DEVICES
464 465 466
To support the MEDICAL IT- NETWORK life cycle, the TOP MANAGEMENT shall define and document a RISK MANAGEMENT policy for incorporating MEDICAL DEVICES into an IT- NETWORK . The RISK MANAGEMENT policy shall include:
467
a) balancing the three key properties with the mission of the responsible organization;
468 469
b) a means to establish risk acceptability criteria for each of the key properties taking into account relevant international standards and national or regional regulations;
80001-1Ed.1/CDV © IEC:2009 470
– 17 –
c) a description of or reference to processes applying to medical IT-networks including, at least,
471
i.
EVENT MANAGEMENT ,
472
ii.
CHANGE - RELEASE MANAGEMENT ,
473
iii. CONFIGURATION MANAGEMENT , and
474
iv. monitoring.
475 476
NOTE IT- NETW ORK life cycle activities can be captured in an IT service management policy (e.g., per ISO 20000) provided there is a clear relationship to the RISK MANAGEMENT policy.
477 478
MANAGEMENT
479
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
480
4.2.2 R ISK MANAGEMENT PROCESS
481 482 483
The MEDICAL IT- NETWORK RISK MANAGER shall establish and maintain a PROCESS for identifying HAZARDS , estimating and evaluating the associated RISKS , controlling these RISKS , and monitoring the effectiveness of the controls, taking the defined use of the MEDICAL IT- NETWORK into account.
484 485 486 487
NOTE 1 As the MEDICAL IT- NETW ORK is used in the field of medical application, the PROCESS should be implemented in accordance with the requirements of ISO 14971. Because RISK MANAGEMENT in MEDICAL IT- NETW ORKS includes creation of MEDICAL IT- NETW ORKS and incorporation of additional devices as well as ongoing life cycle processes, this standard specifies MEDICAL IT- NETW ORK project PROCESSES within ongoing MEDICAL IT- NETW ORK life cycle PROCESSES in section 4.
488
NOTE 2 Subsequent changes to the MEDICAL IT- NETW ORK could introduce new RISKS and require additional analyses.
489
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
490
4.3 MEDICAL IT- NETWORK RISK MANAGEMENT Planning and Documentation
491
4.3.1 Overview
492
The RESPONSIBLE ORGANIZATION shall plan RISK MANAGEMENT of the MEDICAL IT- NETWORK by providing
493
a) RISK -relevant asset description,
494
b) IT- NETWORK documentation, and
495
c) a RISK MANAGEMENT plan for the MEDICAL IT- NETWORK .
496 497
NOTE 1 Assessment and documentation of the structure of the network is essential to provide the necessary information for RISK ANALYSIS and RISK EVALUATION .
498 499
Because of the nature of IT- NETWORKS , both the current state of the IT- NETWORK and planned changes shall be considered.
500 501
Initial development of new MEDICAL IT- NETWORKS as well as changes to existing MEDICAL ITNETWORKS not covered by documented CHANGE PERMITS shall be managed by projects.
502
NOTE 2 A MEDICAL IT- NETW ORK can have multiple concurrent or sequential projects.
503 504
NOTE 3 See also Subclauses 4.4.3.3 for MEDICAL IT- NETW ORK Projects and 4.4.3.2 for C HANGE PERMIT as a RISK CONTROL Measure
505
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
506
4.3.2 Asset description
507 508 509 510
The RESPONSIBLE ORGANIZATION shall establish a list of assets of IT- NETWORKS interfacing with MEDICAL DEVICES . Typical assets include, but are not limited to hardware, software, and data essential to the INTENDED USE of the MEDICAL DEVICE and the defined use of the MEDICAL IT- NETWORK when identified. The asset list may include for example:
511 512
a) specific components of the MEDICAL IT- NETWORK and all attached MEDICAL DEVICES and other equipment (e.g. image creating modalities, network components) of the IT infrastructure;
513 514
b) operational characteristics of the IT infrastructure of the hospital (e.g. performance properties such as bandwidth);
515
c) CONFIGURATION MANAGEMENT information;
516
d) medical application software itself;
The policy shall be expressed in terms that can easily be interpreted throughout all RISK activities.
80001-1Ed.1/CDV © IEC:2009
– 18 –
517
e) data about configuration of hardware and software;
518
f)
519 520
g) healthcare procedure support information, including history of use and OPERATOR /user details; and
521 522
h) a security description and other materials relevant to total system SAFETY RISK considerations (in case security is an aspect of SAFETY ).
523
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
524
4.3.3 MEDICAL IT- NETWORK documentation
525 526 527 528
The RESPONSIBLE ORGANIZATION shall establish and maintain network documentation necessary to support the RISK MANAGEMENT of the MEDICAL IT- NETWORK for the interfaces between the MEDICAL DEVICE ( S ) and all network components (both software and hardware). This documentation shall include but not be limited to:
529
a) physical network configuration;
530
b) logical network configuration;
531
c) applied standards and conformance statements;
532
d) client / server structure;
533
e) network security, reliability and data integrity;
534
f)
535
g) future (planned / reasonably foreseeable) changes / upgrades / enhancements.
536
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
537
4.3.4 R ESPONSIBILITY AGREEMENT
538 539 540
Whenever a MEDICAL DEVICE is incorporated into an IT- NETWORK , or the configuration of such a connection is changed, one or more documented RESPONSIBILITY AGREEMENTS shall exist that define (e.g. by contract) the responsibilities of all relevant stakeholders.
541 542 543
A RESPONSIBILITY AGREEMENT may cover one or more projects or the maintenance of one or more MEDICAL IT- NETWORKS , and shall identify responsibility for all aspects of the MEDICAL IT- NETWORK life cycle and all activities that form part of that life cycle.
544 545 546 547
NOTE 1 In order to support incorporating MEDICAL DEVICES into an IT- NETW ORK , the MEDICAL DEVICE manufacturers provide technical information appropriate to the creation of RESPONSIBLE ORGANIZATION RISK MANAGEMENT documentation. Where the PROCESS requires information that a MEDICAL DEVICE manufacturer believes is sensitive in nature, the provision of the information will be determined by the RESPONSIBILITY AGREEMENT and can be protected by a confidentiality agreement.
548
The RESPONSIBILITY AGREEMENTS shall contain (or refer to documents which contain) at a minimum:
549 550
a) the name of the person responsible for RISK MANAGEMENT for the activities covered by the RESPONSIBILITY AGREEMENT ;
551 552
b) The scope of the activities covered by the RESPONSIBILITY AGREEMENT , including a summary of and/or reference to the requirements;
553 554 555 556
c) a list of the MEDICAL DEVICES and other equipment which are to be incorporated into the ITNETWORK or changed, together with the names of MEDICAL DEVICE manufacturers or other organizations responsible for the provision of technical information necessary for the completion of the project;
557 558
d) a list of documents to be supplied by the MEDICAL DEVICE manufacturers and other equipment suppliers that contain instructions for connection to or disconnection from an IT- NETWORK ; and
559 560
e) technical information to be supplied by the MEDICAL DEVICE or IT manufacturers and other equipment suppliers that is necessary to perform RISK ANALYSIS for the IT- NETWORK .
561 562
The RESPONSIBLE ORGANIZATION shall determine what RESPONSIBILITY AGREEMENTS are needed and shall provide a summary of responsibilities as appropriate.
personal data of a specific PATIENT ;
network communication requirements for each MEDICAL DEVICE ; and
80001-1Ed.1/CDV © IEC:2009
– 19 –
563 564 565 566
NOTE 2 the manufacturer of a MEDICAL DEVICE is responsible for providing technical documentation on how to use the MEDICAL DEVICE ’ S interfaces to connect to an IT- NETW ORK , provided that such a connection is included in the INTENDED USE . There is no such obligation on the supplier of other equipment, and it might be necessary to make a specific arrangement to gain access to such technical documentation.
567 568 569
If the co-operation of manufacturers of MEDICAL DEVICES , suppliers of other equipment or other organizations is necessary in addition to the listed documents supplied by the manufacturers or organizations, a RESPONSIBILITY AGREEMENT shall:
570
a) identify the nature of the co-operation required; and
571
b) state:
572
–
who is responsible for requesting such co-operation;
573
–
who is responsible for responding to such requests; and
574
–
what criteria will be used to judge the adequacy of such response.
575
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
576
4.3.5 RISK MANAGEMENT plan for the MEDICAL IT- NETWORK
577 578
The RESPONSIBLE ORGANIZATION shall establish and maintain a RISK MANAGEMENT plan for each MEDICAL IT- NETWORK . The RISK MANAGEMENT plan shall include:
579
a) a description of the MEDICAL IT- NETWORK , including:
580 581
i.
identified targeted stakeholders within the RESPONSIBLE ORGANIZATION that shall be informed about HAZARDS to ensure their RISK awareness;
582
ii.
the defined use and expected benefits of the MEDICAL IT- NETWORK ;
583
iii. the reason for each MEDICAL DEVICE incorporation; and
584 585
iv. the impact to the manufacturer’s INTENDED USE of each MEDICAL DEVICE due to its incorporation into the IT- NETWORK .
586 587 588
b) a description of activities, roles and responsibilities for all parties involved in operating/maintaining the MEDICAL IT- NETWORK , including identification of known and possible new HAZARDS .
589
c) requirements for monitoring the MEDICAL IT- NETWORK (refer to 4.5.1).
590 591 592
d) criteria for RISK acceptability, based on the RESPONSIBLE ORGANIZATION ’ S policy for determining acceptable RISK , including criteria for accepting RISKS when the probability of occurrence of HARM cannot be estimated.
593 594
When a project introduces changes to an existing MEDICAL IT- NETWORK , the RISK MANAGEMENT plan for the MEDICAL IT- NETWORK shall be updated.
595
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
596
4.4 CHANGE - RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT
597
4.4.1 C HANGE - RELEASE MANAGEMENT PROCESS
598 599 600
CHANGE - RELEASE MANAGEMENT is a centralized approval PROCESS that ensures all changes are assessed, approved, implemented and reviewed in a controlled manner. The results of RISK MANAGEMENT shall determine approval and acceptability of review of CHANGE - RELEASE MANAGEMENT .
601 602 603
NOTE The RESPONSIBLE ORGANIZATION needs to show special care regarding the effect of overall RISK from parallel projects and parallel changes interacting in today’s complex healthcare environments (thus minimizing negative impact and avoiding more costly EVENT MANAGEMENT ).
604
The RESPONSIBLE ORGANIZATION shall document and apply a CHANGE -RELEASE MANAGEMENT PROCESS .
605 606
The MEDICAL IT- NETWORK RISK MANAGER shall ensure that a CHANGE -RELEASE MANAGEMENT PROCESS exists for the MEDICAL IT - NETWORK and that the PROCESS includes RISK MANAGEMENT .
607 608 609
A CONFIGURATION MANAGEMENT PROCESS shall be documented and applied to control the versions of the MEDICAL IT- NETWORK across all RISK MANAGEMENT PROCESSES during MEDICAL IT- NETWORK CHANGE - RELEASE MANAGEMENT .
80001-1Ed.1/CDV © IEC:2009
– 20 –
610
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
611
4.4.2 MEDICAL IT- NETWORK RISK MANAGEMENT
612
4.4.2.1
613 614
RISK MANAGEMENT PROCESSES that support both the execution of a change project as well as the decision to go live on any particular change are described in this section.
615 616 617 618 619
The RISK MANAGEMENT elements of RISK ANALYSIS, RISK EVALUATION , RISK CONTROL , RESIDUAL RISK evaluation and reporting and approval shall be documented. This documentation may be integral to the RISK MANAGEMENT plan or exist as separate documents in the RISK MANAGEMENT FILE associated with the MEDICAL IT- NETWORK . Action plans arising from RISK ASSESSMENT shall follow the CHANGERELEASE MANAGEMENT PROCESS .
620 621 622
N OTE There is a single set of RISK MANAGEMENT documents per MEDICAL IT- NETW ORK because RISK CONTROL measures for any given project or change must not conflict with existing RISK CONTROL measures for the MEDICAL IT- NETW ORK or with RISK CONTROL measures proposed by a concurrent project.
623
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
624
4.4.2.2
625 626
The RESPONSIBLE ORGANIZATION shall identify HAZARDS that are likely to arise from the MEDICAL IT– NETWORK .
627 628
For each identified HAZARD , the RESPONSIBLE ORGANIZATION shall estimate the associated RISKS using available information or data.
629 630
NOTE R ISKS to be analyzed cover the entire life cycle, especially including the implementation of the change and the regular use of the MEDICAL IT- NETW ORK .
631 632
If the probability of the occurrence of HARM cannot be estimated, the possible consequences shall be listed for use in RISK EVALUATION and RISK CONTROL .
633
The results of these activities shall be recorded in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
634
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
635
4.4.2.3
636 637
For each identified HAZARD , the RESPONSIBLE ORGANIZATION shall decide, using the criteria defined in the RISK MANAGEMENT plan, whether:
638 639 640
a) the estimated RISK ( S ) is so low that RISK reduction need not to be pursued. In this case the rationale for this decision shall be documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
641 642
b) the estimated RISK ( S ) are not acceptable. In this case RISK CONTROL measures shall be implemented according to 4.4.2.4.
643
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
644
4.4.2.4
645
4.4.2.4.1
646 647
The RESPONSIBLE ORGANIZATION shall identify and document proposed RISK CONTROL measures for each unacceptable RISK until the RESIDUAL RISK(S) is judged acceptable.
648
One or more RISK CONTROL options shall be used in the priority order listed:
649
a) inherent control by design (e.g. physical isolation of a network from external threats);
650
b) protective measures (e.g. including alarms);
651
c) information for assurance of the KEY PROPERTIES (e.g. warnings, user documentation, training).
652
NOTE 1 R ISK CONTROL measures can include for example:
653
–
change permits (see 2.3 and 4.4.3.2)
654
–
network components;
Overview
RISK ANALYSIS
RISK EVALUATION
Risk control R ISK CONTROL option analysis
80001-1Ed.1/CDV © IEC:2009 655
–
network configuration;
656
–
organizational considerations; or changes to the incorporated MEDICAL DEVICES .
– 21 –
657
–
658 659
NOTE 2 For each RISK , the design should carefully consider where to best implement the control to ensure sustainability—within the MEDICAL DEVICE or in the MEDICAL IT- NETW ORK configuration.
660 661
To the extent that RISK CONTROL entails tradeoffs in KEY PROPERTIES , the KEY PROPERTIES shall be considered in priority order of SAFETY , EFFECTIVENESS , and DATA AND SYSTEMS SECURITY .
662 663 664
If, during RISK CONTROL option analysis, the RESPONSIBLE ORGANIZATION determines that required RISK reduction is not practicable, the RESPONSIBLE ORGANIZATION shall conduct and document a RISK /benefit analysis of the RESIDUAL RISK .
665
NOTE 3 See ISO 14971 [4] for RISK /benefit analysis.
666
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
667
4.4.2.4.2
668 669
When a specific RISK CONTROL measure is selected, CHANGE-RELEASE MANAGEMENT PROCESSES shall be followed and recorded in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
670 671 672
R ISK CONTROL measures within the MEDICAL DEVICE shall be implemented by the MEDICAL DEVICE manufacturer or by the RESPONSIBLE ORGANIZATION following the instructions for use or with the documented permission of the MEDICAL DEVICE manufacturer.
673 674 675
NOTE If any changes to a MEDICAL DEVICE are undertaken by the RESPONSIBLE ORGANIZATION without documented consent of the MEDICAL DEVICE manufacturer, the RESPONSIBLE ORGANIZATION is responsible for following all necessary regulatory steps for putting such a modified MEDICAL DEVICE into service.
676 677
The RISK CONTROL measures selected shall be recorded in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
678 679 680
If a RISK CONTROL measure meets the conditions for a CHANGE PERMIT (see 4.4.3.2), the RESPONSIBLE ORGANIZATION may create a CHANGE PERMIT for future use. The CHANGE PERMIT shall be documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
681
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
682
4.4.2.4.3
683
The identified RISK CONTROL measures shall be implemented.
684
Any RESIDUAL RISK shall be documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
685
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
686
4.4.2.4.4
687 688
The implementation of all RISK CONTROL measures in the operational system shall be VERIFIED and documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
689 690
The effectiveness of the RISK CONTROL measures shall be VERIFIED and documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
691 692
NOTE It might be necessary to verify the effectiveness of risk control measures in a test environment prior to implementation in the operational system.
693
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
694
4.4.2.4.5
695 696 697
The implemented RISK CONTROL measures and the installed operational system shall be reviewed for new, unacceptable RISKS (i.e. degraded KEY PROPERTIES or other important attributes essential in realizing the defined use of the MEDICAL IT- NETWORK ).
698
The evaluation shall be documented in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
RISK CONTROL
measures
Implementation of RISK CONTROL measures
V ERIFICATION of RISK CONTROL measures
New RISKS arising from RISK CONTROL
80001-1Ed.1/CDV © IEC:2009
– 22 –
699
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
700
4.4.2.5 Residual risk evaluation and reporting
701 702
Based on a pre-release assessment of the effectiveness of the implemented RISK CONTROL measures the RESIDUAL RISK shall be evaluated.
703
Both the individual RESIDUAL RISKS and the overall RESIDUAL RISK shall be assessed for acceptability.
704
NOTE See 4.4.2.3 for RISK EVALUATION .
705 706
If an individual RESIDUAL RISK or the overall RESIDUAL RISK is not determined to be acceptable, additional RISK CONTROL measures shall be applied.
707 708 709 710 711
The RESPONSIBLE ORGANIZATION shall define and document a RESIDUAL RISK summary containing a list of all individual RESIDUAL RISKS and the overall RESIDUAL RISK remaining after the RISK CONTROL measures have been implemented (see 4.4.2.4.3), including those RESIDUAL RISKS communicated by the MEDICAL DEVICE manufacturer, the RESIDUAL RISKS associated with a particular change project, and the MEDICAL IT- NETWORK RESIDUAL RISK .
712 713 714 715 716 717
If reduction of RESIDUAL RISK to an acceptable level is not practicable, using the RESPONSIBLE ORGANIZATION ’ S policy for determining acceptable RISK (see 3.3), the person identified by the TOP MANAGEMENT (see 3.3) to review RESIDUAL RISKS (who may be the MEDICAL IT- NETWORK RISK MANAGER ) shall conduct and document a RISK /benefit analysis of the individual or overall RESIDUAL RISK against the health benefit accrued from the incorporation of the MEDICAL DEVICE into the ITNETWORK , and decide whether to approve the MEDICAL IT- NETWORK RESIDUAL RISK .
718
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
719
4.4.3 Decision on how to apply risk management
720
4.4.3.1
721 722
For any new MEDICAL IT- NETWORK or a change to an existing MEDICAL IT-N ETWORK , the CHANGE RELEASE MANAGEMENT PROCESS shall be initiated.
723 724 725
The RESPONSIBLE ORGANIZATION shall consider the nature of the change to decide whether the requirements are met by an applicable CHANGE PERMIT . Where no applicable CHANGE PERMIT exists, a MEDICAL IT- NETWORK project shall be initiated.
726
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
727
4.4.3.2
728 729 730 731
If the RESPONSIBLE ORGANISATION decides, as a result of RISK MANAGEMENT activities, that a specified type of routine change may be performed with acceptable RISK , subject to specified conditions, then the RESPONSIBLE ORGANISATION may define a CHANGE PERMIT which allows such routine changes and specifies the limitations.
732 733
MEDICAL
734 735
RELEASE MANAGEMENT
736 737
A CHANGE PERMIT shall specify what CONFIGURATION MANAGEMENT records are to be kept for each permitted change.
738
Such CHANGE PERMITS shall be maintained in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
739
NOTE 3 C HANGE PERMITS can only be established as an outcome of the RISK MANAGEMENT PROCESS (see 4.4.2.4.2).
740
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
Overview
C HANGE PERMIT as a RISK CONTROL Measure
NOTE 1 For example, a CHANGE PERMIT might allow the connection of additional MEDICAL DEVICES of a specified type to a IT- NETW ORK up to a specified maximum number of devices.
NOTE 2 Provided that the changes performed always conform to the CHANGE PERMIT and its limitations, no CHANGE or RISK MANAGEMENT is needed each time the CHANGE PERMIT I s used.
80001-1Ed.1/CDV © IEC:2009
– 23 –
741
4.4.3.3
742
4.4.3.3.1
743 744 745 746 747 748
The RESPONSIBLE ORGANIZATION shall establish and maintain a project plan for the incorporation of a new MEDICAL DEVICE into an IT- NETWORK , for change to the MEDICAL IT- NETWORK , for change to the MEDICAL DEVICES incorporated in the MEDICAL IT- NETWORK , for decommissioning of a MEDICAL DEVICE or MEDICAL IT- NETWORK , or any other activity that has the potential to introduce new RISK . The typical first project plan would be for development of a new MEDICAL IT- NETWORK . The project plan shall provide:
749
a) requirements for RISK MANAGEMENT activities including:
MEDICAL
IT- NETWORK Projects
Establishing a project plan
750 751
i.
752 753
ii.
754
iii. activities for VERIFICATION of RISK CONTROL measures.
755
a plan to meet the requirements stated in the RISK MANAGEMENT PLAN for the affected IT- NETWORK ( S );
MEDICAL
activities to establish or update any RISK MANAGEMENT FILE documents needed as a result of this project, such as the RISK MANAGEMENT plan or other RISK M ANAGEMENT documents; and
b) a description of the project including:
756
i.
identification of MEDICAL IT- NETWORK ( S ) developed or affected by the project;
757
ii.
requirements specification for the project; and
758
iii. specification of minimum set of documents required for the MEDICAL IT- NETWORK project.
759
c) the scope of the planned changes to the MEDICAL IT- NETWORK , including but not limited to:
760 761
i.
physical and logical configuration of the MEDICAL IT- NETWORK before and after the planned changes;
762
ii.
information flow before and after the planned changes;
763
iii. components to be acquired or removed;
764
iv. specifications of non-medical network components where relevant; and
765
v.
constraints on the extendibility of the existing MEDICAL IT- NETWORK .
766
The project plan shall be revised whenever necessary to reflect changes to the project.
767 768 769
The project plan shall be kept in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE in accordance with the life cycle PROCESSES of EVENT MANAGEMENT , CHANGE - RELEASE MANAGEMENT , AND CONFIGURATION MANAGEMENT .
770 771
NOTE Where changes to the IT-N ETWORK occur frequently, the project plan may be established as a reusable protocol document containing all these essential elements.
772
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
773
4.4.4 Go-Live
774 775 776
The transition of the MEDICAL IT- NETWORK to the “live environment” (Figure 2) is the goal of all project or change initiatives. Before going live, the RESPONSIBLE ORGANIZATION shall review the MEDICAL IT- NETWORK RESIDUAL RISK .
777 778 779 780 781
The MEDICAL IT- NETWORK RISK MANAGER shall examine all project or change RESIDUAL RISK summaries to determine acceptability of RISK associated with interactions with recent or pending projects or changes (e.g., the incorporation of the MEDICAL DEVICE into an operational, evolving ITNETWORK ). The MEDICAL IT- NETWORK RISK MANAGER shall oversee the aggregation of RISK CONTROL documents for the MEDICAL IT- NETWORK .
782 783
The approval by the MEDICAL IT- NETWORK RISK MANAGER shall be the RESPONSIBLE ORGANIZATION ’ S authority to proceed with the specified change to the MEDICAL IT- NETWORK .
784 785
The approval of the MEDICAL -IT NETWORK RESIDUAL RISK shall be documented and the configuration information recorded in the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
786
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
80001-1Ed.1/CDV © IEC:2009
– 24 –
787
4.5
Live Network RISK MANAGEMENT
788
4.5.1 Monitoring
789 790 791
The RESPONSIBLE ORGANIZATION shall establish and maintain a PROCESS to monitor each installed MEDICAL IT- NETWORK for emerging RISKS , effectiveness of RISK CONTROL measures, and accuracy of original estimations of RISK level.
792 793
Requirements for monitoring shall be established as part of the RISK MANAGEMENT PLAN of the MEDICAL IT- NETWORK . Examples of what to monitor are:
794 795
a) environment changes (including local/connected environment as well as relevant network or component DATA AND SYSTEMS SECURITY vulnerabilities);
796 797
b) operational/performance feedback e.g., user feedback, speed problems, high error rates, failure, malicious software attacks;
798
c) information about the incorporated components by their MEDICAL DEVICE manufacturers;
799
d) information about similar MEDICAL IT- NETWORKS ;
800
e) reports of exposure to HAZARDS ; and
801 802
f)
803 804 805
If monitoring indicates actual or potential increase in RISK associated with the MEDICAL IT- NETWORK or its components (potential or actual negative impact), the EVENT MANAGEMENT PROCESS shall be initiated and significant findings reported to the appropriate party in the RESPONSIBLE ORGANIZATION .
806
NOTE
807
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
808
4.5.2 E VENT MANAGEMENT
809
EVENT MANAGEMENT
810
a) capture and document negative events;
811
b) resolve events and propose changes as appropriate through CHANGE - RELEASE MANAGEMENT ;
812
c) track all corrective and preventive actions leading to closure; and
813 814
d) report significant finds to the MEDICAL IT- NETWORK RISK MANAGER and/or others in the RESPONSIBLE ORGANIZATION .
815
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
816
5
817
5.1 Document control procedure
818 819
All relevant documents in the MEDICAL IT- NETWORK life cycle shall be revised, amended, reviewed, and approved in accordance with a formal document control procedure.
820
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
821
5.2 M EDICAL IT- NETWORK RISK MANAGEMENT FILE
822 823
In addition to the requirements of other clauses of this standard, the MEDICAL IT- NETWORK RISK MANAGEMENT FILE shall provide traceability for each identified HAZARD to:
824
a) the RISK ANALYSIS ;
825
b) the RISK EVALUATION ;
826
c) the implementation and VERIFICATION of the RISK CONTROL measures; and
827
d) the assessment of the acceptability of any RESIDUAL RISK ( S ) with approval.
828 829 830
NOTE 1 The records and other documents that make up the MEDICAL IT- NETW ORK RISK MANAGEMENT FILE may form part of other documents and files required. The MEDICAL IT- NETW ORK RISK MANAGEMENT FILE need not physically contain all the records and other documents; however, it should contain at least references or pointers to all required documentation. The
auditing of non-technical RISK CONTROL measures such as organizational policies and procedures.
In some cases, the RESPONSIBLE ORGANIZATION may be required to report observations to regulatory bodies.
shall be established to:
Document control
80001-1Ed.1/CDV © IEC:2009
– 25 –
should be able to assemble the information referenced in the MEDICAL IT- NETW ORK RISK fashion.
831 832
RESPONSIBLE ORGANIZATION MANAGEMENT FILE in a timely
833
NOTE 2 The MEDICAL IT- NETW ORK RISK MANAGEMENT FILE may be in any form or type of medium.
834 835
NOTE 3 In those organizations where an “assurance case” is the means of organizing the network risk management file, refer to ISO/IEC 15026-2 [5] (currently under development) for more information.
836
Compliance is checked by inspection of the MEDICAL IT- NETWORK RISK MANAGEMENT FILE .
80001-1Ed.1/CDV © IEC:2009
– 26 –
Annex A (Informative)
837 838 839
Rationale
840 841
A.1
General
842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857
The convergence of MEDICAL DEVICES and information management systems has resulted in a need for changes in the way the SAFETY and EFFECTIVENESS of MEDICAL DEVICES is maintained following their placement into service. While the MEDICAL DEVICE manufacturer’s responsibility for delivering a safe and effective MEDICAL DEVICE has not changed, the environment (i.e. the IT- NETWORK ) that the MEDICAL DEVICE is placed into is constantly changing. The MEDICAL DEVICE manufacturer cannot foresee all the potential changes and has no way of ensuring that the MEDICAL DEVICE will function properly in all possible cases. At the same time, the healthcare delivery organization ( RESPONSIBLE ORGANIZATION ) has requirements relating to the effectiveness of their ability to deliver high quality health care, and security and privacy of PATIENT data that must be achieved under the same constantly changing environment. Achieving these requirements cannot be accomplished without the proper functioning of MEDICAL DEVICES that are part of the environment; that is incorporated in their IT- NETWORK . This international standard recognizes the shared responsibility necessary to achieve all these requirements with today’s rapidly changing technology. It identifies the necessary roles and responsibilities, and a PROCESS for managing the RISK posed by the incorporation of MEDICAL DEVICES into the information technology infrastructure of the healthcare delivery organization.
858 859
In order to maintain evidence of conformance to the requirements of this standard, it is necessary to collect and maintain documentation in a RISK MANAGEMENT FILE for each MEDICAL IT- NETWORK .
860
A.2
861 862
This clause identifies the roles and responsibilities that need to cooperate to successfully manage the risk of incorporating MEDICAL DEVICES into IT- NETWORKS .
863 864 865 866 867 868 869 870 871 872
The healthcare delivery organization that owns and utilizes the MEDICAL IT- NETWORK has overall responsibility for its functioning. It is the RESPONSIBLE ORGANIZATION . To ensure that RISK MANAGEMENT is properly addressed for the MEDICAL IT- NETWORK , the TOP MANAGEMENT of the RESPONSIBLE ORGANIZATION is required by this standard to establish policy, provide resources, assign qualified people and review the results of RISK MANAGEMENT activities. It is important that someone be assigned the responsibility for the execution of the RISK MANAGEMENT PROCESS for the MEDICAL IT- NETWORK . A primary responsibility of TOP MANAGEMENT is appointing a MEDICAL ITNETWORK RISK MANAGER and ensuring that others in the RESPONSIBLE ORGANIZATION co-operate with the MEDICAL IT- NETWORK RISK MANAGER to manage the RISK of incorporating MEDICAL DEVICES into ITNETWORKS .
873 874 875 876 877 878
Because the concept of RISK depends on the clinical impact of the failure as well as the probability of failure, the responsibilities of the MEDICAL DEVICE manufacturers are different than those of other providers of information technology. M EDICAL DEVICE manufacturers have an understanding of the clinical impact of a network failure which is based on the intended use of the MEDICAL DEVICE , whereas IT providers can only offer information on failure modes, probabilities, etc., of the IT equipment. For these reasons, these two roles are addressed independently.
879 880 881 882 883 884
Network failure modes and probabilities also depend on items outside the control of either the MEDICAL DEVICE manufacturers or the information technology provider such as the system design, configuration, topology, IT processes and procedures, actual use (vs. intended) of the MEDICAL DEVICE , etc. Therefore, only the RESPONSIBLE ORGANIZATION has ultimate visibility into the RISKS of the MEDICAL IT- NETWORK and has the primary responsibility for the RISK MANAGEMENT of the MEDICAL IT- NETWORK .
885
A.3
886 887 888
A basic premise of this standard is that RISK must be considered for all changes before they are made to a MEDICAL IT- NETWORK . This standard requires RISK MANAGEMENT to be performed on MEDICAL IT- NETWORKS . There may be multiple MEDICAL IT- NETWORKS per RESPONSIBLE
Clause 3
Clause 4
80001-1Ed.1/CDV © IEC:2009 889 890 891 892
– 27 –
ORGANIZATION .
The RISK MANAGEMENT activities required in this document are based largely on those of ISO 14971 [4] but are described here in the context of an operational MEDICAL IT-N ETWORK . Clause 4 is divided into sub-clauses that parallel the division of RISK MANAGEMENT activities during the change of a MEDICAL IT- NETWORK or during the live environment phase of a MEDICAL IT- NETWORK . Subclause 4.2 describes activities and deliverables that are required at the level of the RESPONSIBLE These deliverables apply to all MEDICAL IT- NETWORKS within the RESPONSIBLE
893 894 895
ORGANIZATION . ORGANIZATION .
896 897
Subclause 4.3 describes activities and deliverables needed on a per MEDICAL IT- NETWORK basis that are required for RISK MANAGEMENT activities to commence.
898 899 900 901 902 903
Subclause 4.4 describes RISK MANAGEMENT activities that are required when changing a MEDICAL ITNETWORK before it enters the live environment phase. This includes changing an existing MEDICAL IT- NETWORK as well as initially building a MEDICAL IT- NETWORK or turning a non- MEDICAL IT- NETWORK into a MEDICAL IT- NETWORK . In this stage, the traditional RISK MANAGEMENT activities occur in the context of a project. The MEDICAL IT- NETWORK RISK MANAGER is responsible for consolidating all project RISK MANAGEMENT activities into a single RISK MANAGEMENT FILE for the MEDICAL IT- NETWORK .
904 905
Some RISK CONTROL measures defined for the MEDICAL IT- NETWORK may include activities during the live environment phase, such as clinical procedures to mitigate network outage.
906 907 908 909
To permit ongoing changes of a repetitive nature without initiating a project, some RISK CONTROL measures that meet certain conditions may be documented as CHANGE PERMITS . These CHANGE PERMITS are designed to control the RISK of future changes to the MEDICAL IT- NETWORK in the live environment that satisfy their conditions.
910 911
Subclause 4.5 describes RISK MANAGEMENT activities needed after the MEDICAL IT- NETWORK is put into use (live environment).
912 913 914 915
Monitoring is the ongoing review of all RISK MANAGEMENT activities and RISK CONTROLS that were put in place to achieve acceptable RISK in the use (live environment) of MEDICAL IT- NETWORK ( S ). It delivers the evidence that overall RISK to KEY PROPERTIES in the MEDICAL IT- NETWORK ( S ) is acceptable.
916 917
E VENT MANAGEMENT specifies those actions required when a real or potential negative event occurs during use of a MEDICAL IT- NETWORK in the live environment.
918
A.4
919 920 921 922
A need for additional documents providing guidance and support for IEC 80001-1 has been recognized. Technical reports to provide this information are being planned, subject to approval of the national committees of IEC SC 62A and member bodies of ISO TC 215. At present, these technical reports have been proposed.
923 924
Application of risk management for IT-networks incorporating medical devices: Guidance for Healthcare Delivery Organizations
925 926
Application of risk management for IT-networks incorporating medical devices: Guidance for wireless networks
927 928
Application of risk management for IT-networks incorporating medical devices: Guidance for the communication of medical device security needs, risks and controls
929 930
Application of risk management for IT-networks incorporating medical devices: Guidance for development of responsibility agreements
931 932
Application of risk management for IT-networks incorporating medical devices: Step-by-step risk management with examples
933 934
Application of risk management for IT-networks incorporating medical devices: Causes of hazards associated with medical IT-networks
Plans for future guidance for IEC 80001-1
80001-1Ed.1/CDV © IEC:2009 935 936
– 28 –
Application of risk management for IT-networks incorporating medical devices: Case study operating theatres
80001-1Ed.1/CDV © IEC:2009
– 29 –
Annex B (Informative)
937 938 939 940 941 942
Overview of
RISK MANAGEMENT
relationships
Figure B.1 provides an overview of the various roles and relationships involved in carrying out a RISK MANAGEMENT effort that involves incorporation of MEDICAL DEVICES on IT- NETWORKS .
The RESPONSIBLE ORGANIZATION
Processes Procedures
MEDICAL
IT-
MEDICAL vise s
P ex rov pe i de rts s to
IT-
NETWORK cre
atio
MANAGER
IT Department
Provides experts to
Provides input to
Pr o vide s
MEDICAL
MEDICAL
DEVICE
DEVICE
manufacturer or other IT technology provider A
manufacturer or other IT technology provider B
to put s in vide
RESIDUAL RISK
Pro
inp ut t
o
Risk MANAGEMENT Management FILE File
944
s ide to ov Pr erts p ex
RISK
no f
NETWORK RISK
943
Biomedical Engineering Department
P ro exp vide ert s s to
Ap pr
ov e
s
Policies
Sup er
Clinical Department
ed by of Appoint ies ivit act ide Gu
Cr ea
te s
TOP MANAGEMENT
Subcontractor
Figure B.1 – Overview of roles and relationships
Other...
80001-1Ed.1/CDV © IEC:2009
– 30 –
Annex C (Informative)
945 946 947
Guidance on field of application
948 949
C.1
Overview
950 951 952
The field of application statement for IEC 80001-1 provides a starting point which describes which IT- NETWORKS are in the scope of the standard. This document provides additional guidance including examples of IT- NETWORKS that are in scope as well as out of scope.
953
C.2
954 955
Table C.1 provides guidance concerning various IT- NETWORK scenarios that may be encountered in a clinical environment and whether to apply IEC 80001-1 PROCESSES to them.
956
Table C.1 – IT- NETWORK scenarios that may be encountered in a clinical environment
When to apply this standard
System Config. 1
a
b
Scenario Description
Network Components
M EDICAL DEVICES from one MEDICAL DEVICE manufacturer and nonMEDICAL DEVICES incorporated by the same MEDICAL DEVICE manufacturer and installed as required by that MEDICAL DEVICE manufacturer on an isolated ITNETW ORK .
M EDICAL and nonMEDICAL DEVICE ( S ) from single
M EDICAL
DEVICES
from multiple
MEDICAL DEVICE manufacturers and non- MEDICAL DEVICES incorporated by one MEDICAL DEVICE
manufacturer and installed as required by that MEDICAL DEVICE manufacturer on an isolated IT-
Network Responsibility
Std.
Physically isolated
MEDICAL DEVICE
14971
Physically isolated
MEDICAL DEVICE
Network
manufacturer
MEDICAL DEVICE
manufacturer
M EDICAL DEVICES and non- MEDICAL DEVICES from multiple MEDICAL
14971
manufacturer
DEVICE
manufacturers
NETW ORK
2
a
b
3
M EDICAL and non- MEDICAL DEVICES incorporated by one MEDICAL DEVICE manufacturer and MEDICAL and non- MEDICAL DEVICES incorporated by other MEDICAL DEVICE manufacturers interconnected on the same ITrd NETW ORK by a 3 party (such as a hospital).
Medical and non-
M EDICAL and non- MEDICAL DEVICES incorporated by one MEDICAL DEVICE manufacturer and MEDICAL and non- MEDICAL DEVICES incorporated by other MEDICAL DEVICE manufacturers as well as non- MEDICAL DEVICES and applications interconnected on a rd shared IT- NETW ORK by a 3 party.
M EDICAL and non-
Installations with non- MEDICAL from multiple manufacturers using the ITNETW ORK for transmission of electronic Protected Health Information (ePHI).
Multiple non-
DEVICES
Shared
R ESPONSIBLE ORGANIZATION
80001-1
Shared
R ESPONSIBLE ORGANIZATION
80001-1
Shared
R ESPONSIBLE ORGANIZATION
Out of 80001-1 a scope
MEDICAL DEVICES
from multiple MEDICAL DEVICE
manufacturers
MEDICAL DEVICES
from multiple MEDICAL DEVICE
manufacturers plus multiple nonMEDICAL DEVICE
manufacturers
MEDICAL DEVICE
manufacturers
80001-1Ed.1/CDV © IEC:2009
– 31 –
957
Table C.1 – IT- NETWORK scenarios that may be encountered in a clinical environment (continued) a
958
Local national regulations on medical data security apply, however, the choose to apply IEC 80001-1.
RESPONSIBLE ORGANIZATION
may also
Some examples may assist in understanding the various network types listed above:
959 960
–
Configuration 1a – P ATIENT monitoring devices on their own isolated network or the same devices with a gateway to hospital IT- NETWORK for non- MEDICAL DEVICE uses.
961 962 963
–
Configuration 1b – P ATIENT monitoring devices from vendor A combined with network attached infusion devices from vendor B provided as an integrated controlled solution by a single vendor (A, B or C).
964 965
–
Configuration 2a – Multiple MEDICAL DEVICES from different MEDICAL DEVICE manufacturers placed on a common IT-N ETWORK by a hospital.
966 967 968
–
Configuration 2b – Network attached infusion devices on shared IT-N ETWORK with other hospital applications, and/or PATIENT monitoring devices on an isolated network with a gateway to the hospital IT- NETWORK for MEDICAL DEVICE uses such as alarm reporting.
969 970
–
Configuration 3 – Hospital systems communicating PATIENT demographics and related electronic Protected Health Information (ePHI).
80001-1Ed.1/CDV © IEC:2009
– 32 –
Annex D (Informative)
971 972
Relationship with ISO/IEC 20000 Information technology — Service management
973 974 975
D.1
General
976 977 978 979 980 981 982 983
IEC 80001-1 applies the concept of RISK MANAGEMENT to the IT- NETWORK when incorporating MEDICAL DEVICES . The RISK MANAGEMENT PROCESS is based on ISO 14971 [4], which is directed at manufacturers of MEDICAL DEVICES . Like general IT- NETWORKS , MEDICAL IT- NETWORKS can be highly complex, highly dynamic systems where events and the result of monitoring activities can lead to changes that need careful preparation prior to implementation. Where MEDICAL DEVICES in their life span are rarely subject to changes, IT- NETWORKS are highly susceptible to changes. When MEDICAL DEVICES and IT- NETWORKS are integrated, organizations should recognize these inherent differences.
984 985 986 987 988 989 990 991
In IEC 80001-1, managing RISK in a MEDICAL IT- NETWORK is based on the operating conditions and life cycle of IT- NETWORKS. For this reason, the concepts of IT-service management as described in ISO/IEC 20000 [9] have been reviewed for reference in this standard. This annex provides information on the relationship between IEC 80001-1 and ISO/IEC 20000. It aims to assist the communication between the communities responsible for IT- NETWORKS and those responsible for MEDICAL DEVICES . Bear in mind that IEC 80001-1 is a RISK MANAGEMENT standard for medical applications and ISO/IEC 20000 is a general IT service provider quality standard. Any relation between these standards also crosses these differences.
992
D.2
993 994 995 996 997
Where MEDICAL DEVICES require maintenance, repair or modifications and eventually replacement, IT- NETWORKS have incidents and problems that must be handled and (major) changes that require careful implementation. There are many similarities in the service to both MEDICAL DEVICE ( S ) and ITNETWORK ( S ). For reference, Figure D.1 from ISO/IEC 20000 indicates the relationship between service processes for IT- NETWORKS .
Terminology and definitions
Service Delivery Processes Capacity Management
Service Level Management
Information Security Management
Service Continuity and Availability Management
Service Reporting
Budgeting and Accounting for IT Services
Control Processes Configuration Management Change Management
Release Processes
Resolution Processes
Release Management
Relationship Processes
Incident Management
Business Relationship Management
Problem Management
Supplier Management
998 999 1000
Figure D.1 – Service management processes (ISO/IEC 20000:2005, Figure 1)
80001-1Ed.1/CDV © IEC:2009
– 33 –
1001 1002
Table D.1 relates terminology and sections of IEC 80001-1 to those in ISO/IEC 20000. The numbers indicate the section in the subsequent standards.
1003
Table D.1 – Relationship between IEC 80001-1 and ISO/IEC 20000 IEC 80001-1 CDV (DIS)
ISO/IEC 20000
2.1 ACCOMPANYING DOCUMENT
See 2.30
2.4 CONFIGURATION MANAGEMENT In IEC 80001-1, CONFIGURATION MANAGEMENT is a PROCESS that stores in the CMDB. 2.7 EVENT MANAGEMENT The nature of events is not defined in 80001-1. They relate to both the IT- NETWORK and the MEDICAL
2.5 configuration management database The CMDB is the database used for configuration management. 2.7 incident Incident and problem both relate to events that are managed by event management in IEC 80001-1.
DEVICE
2.22 RESPONSIBILITY AGREEMENT An agreement between e.g. suppliers, manufacturers, service provider, system integrator and the responsible organization 2.23 RESPONSIBLE ORGANIZATION
2.30 RISK MANAGEMENT FILE
3.3 T OP MANAGEMENT
3.4 M EDICAL IT- NETWORK RISK MANAGER
The RISK manager is responsible for the RISK MANAGEMENT PROCESS .
3.5 M EDICAL DEVICE manufacturer(s); 3.6 Other providers of Information Technology These sections specify information to be provided via the suppliers to the RESPONSIBLE ORGANIZATION 4.2.1 Policy for RISK MANAGEMENT for incorporating MEDICAL
2.13 service level agreement (SLA); 2.14 service management Defines the relation between owner of an IT network and the service provider 2.15 service provider The responsible organization shall certify the IT-network service provider as part of its policy 2.9 record; 2.3 change record; 2.11 request for change element(s) of the risk management file 2.5 configuration management database (CMDB) element of the risk management file (asset description) Note: the risk management file can be stored in a database that includes the CMDB 3.1 Management Responsibility Both standards address senior management responsibilities. ISO/IEC 20000 leaves more organizational freedom. 3.1 Management Responsibility Risk management is not specifically assigned as a task for management 6.6.7 Documents and records Records should be analyzed. In IEC 80001-1 this is the responsibility of the risk manager 7.1 Relationship process – general 6.6.5 Security and availability of information 7.3 Supplier management Both standards require relationships to be formalized via contract. Sections 6.6.5 and 7.3 relate to suppliers of components of the medical IT-network. 3.1 Management responsibility
DEVICES
4.2.2 R ISK MANAGEMENT PROCESS 6.6.3 security risk assessment practices Covers SAFETY , EFFECTIVENESS and Security is a subset of the key properties of a medical ITnetwork. IEC 80001-1 provides the general risk management DATA & SYSTEM SECURITY process for the IT-network. 1004
80001-1Ed.1/CDV © IEC:2009
– 34 –
Table D.1 – Relationship between IEC 80001-1 and ISO/IEC 20000 (continued) IEC 80001-1 CDV (DIS) 4.3 MEDICAL IT- NETWORK RISK MANAGEMENT planning and documentation
4.3.2 Asset description 4.3.3 IT- NETWORK documentation This section specifies information relating to the RISK MANAGEMENT PROCESS . 4.3.4 R ESPONSIBILITY AGREEMENT
4.3.5 R ISK MANAGEMENT Plan for the MEDICAL IT- NETWORK
4.4 CHANGE - RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT
4.4.2.4 R ISK CONTROL
4.4.3.3 Establishing a project plan Major changes need a project to assess RISK prior to implementing change. 4.4.4 Authority in CHANGE RELEASE MANAGEMENT
4.5.1 Monitoring
5.1 Document control procedure 5.2 M EDICAL IT- NETWORK RISK MANAGEMENT FILE 1005
ISO/IEC 20000 4.1 Plan service management (Plan); 4.4.2 Management of improvements; 5.1 Topics for consideration ISO/IEC 20000 can include risk management. IEC 80001-1 defines the requirements to service management for medical IT-networks. 6.6.2 Identifying and classifying information asset The scope should include all key properties 4.1.1 Scope of service management; 6.6.2 Identifying and classifying information asset The content of the information has overlap with IEC 80001-1 section 4.3.3. 7.3 Supplier management (1st paragraph) Both sections aim to clarify the intentions of collaboration to all relevant stakeholders 6.6.3 Security risk assessment practices Security is a subset of the key properties of a medical ITnetwork. IEC 80001-1 provides the general risk management process for the IT-network. 9 Control processes; 10 Release process Change and configuration management as well as release and go-live are covered in sections 9 and 10. IEC 80001-1 section 4 describes the risk management activities as included in these processes 9.1.5 Configuration verification and audit; 9.2.2 Planning and implementation ISO/IEC 20000 covers a broad scope of items that require verification. Verification of risk control measures is elaborated in IEC 80001-1 9.2.1 Planning and implementation ISO/IEC 20000 indicates all changes to be planned before implementation. IEC 80001-1 requires all changes to be risk managed which includes planning. 9.2.1 Planning and implementation; 10.1.6 Release verification and acceptance IEC 80001-1 assigns the responsibility for sign-off to the risk manager 10.1.8 Roll-out, distribution and installation; 10.1.9 Post release and roll-out Monitoring can relate to both organizational or technical risk control measures 3.2 Documentation requirements 5.2 Change records; 6.6.7 Documents and records; 10.1.7 Documentation
80001-1Ed.1/CDV © IEC:2009
– 35 –
Annex E Bibliography
1006 1007 1008 1009
[1]
IEC 60601-1:2005, Medical electrical equipment – Part 1: General requirements for basic safety and essential performance
1010
[2]
IEC 61907:— 3) , Guidance on communication network dependability engineering
1011
[3]
IEC 62304:2006, Medical device software, Software life-cycle processes
1012
[4]
ISO 14971:2007, Medical devices – Application of risk management to medical devices
1013 1014
[5]
ISO/IEC 15026-2: — 4) , Systems and software engineering — Systems and software assurance — Part 2: Assurance case
1015 1016
[6]
ISO/IEC 15408 (all parts), Information technology – Security techniques – Evaluation criteria for IT security
1017
[7]
ISO 16484-2:2004, Building automation and control systems (BACS) – Part 2: Hardware
1018
[8]
ISO 9000:2005, Quality management systems – Fundamentals and vocabulary
1019
[9]
ISO/IEC 20000-1:2005, Information technology – Service management – Part 1: Specification
1020 1021
[10]
Global Harmonization Task Force (GHTF) – Study Group 1 (SG1), Document No. N029R11, dated 2 Feb., 2002.
1022
————————— 3) To be published. 4) To be published.
